This technology helps protect users and developers from common cross-site scriptingattacks that can be found on the web.

In fact CSP is enforced by default for everypackaged app.

Because packaged apps have access to evenmore features than a web app, CSP has disabled some features that you might expect as a developersuch as: Inline scripts like click handlers and <script>tags with code inside and ‘eval’ and the ‘new function’methods We know that sometimes you need to use thesefeatures so we’ve introduced a feature called “sandboxed pages”.

These are pages inyour app that use all the features of the current web such as eval, new Function andinline script tags, but importantly have no direct access to advanced packaged app features.

The third protection in apps is the permissions model.

Apps can’t just use any feature theywant.

The user needs to have granted access to this feature.

You can easily declareyour apps intent by configuring the permissions that you need in the manifest file.

For exampleyou can declare that your app needs access to the user’s video camera, or access toraw sockets.

Finally another security measure is the <browser>tag for web content.

Imagine you are building an RSS feed readerthat will show news articles in the app experience.

Adding web content directly is dangerous,as you have no control over what external authors are adding to their content.

Howeverthe user experience demands that you show the content.

The <browser> tag is like aniframe in that it will allow you to embed web content into your app from an externalresource but it is entirely isolated from your app.

This was just a quick overview of the security model for packaged apps.